Edge traffic is divided into enterprise traffic (i.e., edge-to-data center and edge-to-edge flows) and edge-to-Internet traffic. Enterprise traffic includes communication between edge workload clusters and management clusters, while edge-to-Internet traffic covers TMC and Aria Operations, SD-WAN gateways, and other applications requiring Internet access.

For all three edge deployment types, the majority of the traffic can be grouped into two categories – enterprise (i.e. edge to data center) traffic and edge to Internet traffic. We also consider edge-to-edge flows and inbound traffic destined for edge applications to be part of enterprise traffic. Enterprise traffic includes traffic between edge workload clusters and management clusters in the data center, connectivity to the central Harbor registry, and other enterprise applications flow. Examples of edge-to-Internet traffic include connectivity to TMC and Aria Operations for Applications from TKG clusters, connectivity to SD-WAN gateways, and other applications that necessitate Internet access.

If we look at an edge without an SD-WAN add-on, the edge traffic flows can be demonstrated in the diagram below. Edge-to-datacenter and inter-edge flows will rely on existing WAN networks, while traffic requiring Internet access can be backhauled to the data center and secured using a web proxy or sent directly to the Internet locally through a firewall. It is common for workloads in edge TKG workload clusters to configure an HTTP proxy for Internet access so they can access image registries and limit other connectivity. Please see the documentation here if you have an air-gapped environment.

For edge deployments leveraging SD-WAN add-on, configurations to enable Internet access for workload clusters and virtual machines are significantly simplified and traffic flows will alter slightly. Network routing and network security configurations can be centralized on the SD-WAN appliances if desired, given they will become the default gateway and optionally the local DHCP server for the edge networks. Enterprise traffic will traverse the SD-WAN overlay networks leveraging both private (MPLS) circuits and public connections. Traffic destined to the Internet can follow one of the three options as shown in the diagram and can be selectively configured based on five tuples of the IP flows. The options are:

1. Backhaul through the data center SD-WAN Hub

2. Sent directly through the local ISP connection

3. Forwarded through globally distributed SD-WAN SASE POPs

All three options and other configurations can be configured using VMware SD-WAN’s Business Policy framework.